XML External Entity Vulnerability in Jenkins Valgrind Plugin
CVE-2020-2245

7.1HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Valgrind Plugin
Vendor: CVE Published:; 1 September 2020

Summary

The Jenkins Valgrind Plugin up to version 0.28 is susceptible to XML External Entity (XXE) attacks due to improper configuration of its XML parser, which can lead to potential information disclosure. Attackers can exploit this vulnerability by sending specially crafted XML input to the plugin, allowing unauthorized access to internal files and potentially executing system commands.

Affected Version(s)

Jenkins Valgrind Plugin <= 0.28

References

https://jenkins.io/security/advisory/2020-09-01/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/09/01/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 1, 2020
Vulnerability Reserved
Dec 5, 2019